Hi Richard,Thanks for the - Page 2

dinocecchini · ‎11-04-2014

Hi,

i have a problem with a PBR statement.

in juniper this statement work fine, but now i change the juniper with a Cisco 4500X.

I try to disable the cef on the interface vlan but nothing.. what can be?

the juniper per config and the cisco per config are attached.

Thanks

Richard Burts · ‎11-05-2014

Dino

Thanks for the additional information. Based on this it looks like the configuration of PBR is right. If it is not working we need more information about the environment and probably more of the config to help us find the problem. Perhaps the output of the commands show route-map, show access-list, and show ip interface brief might be helpful.

HTH

Rick

HTH

Rick

dinocecchini · ‎11-05-2014

Hi Richard,

Thanks for the support.

This is the output:

sh access-list:

Extended IP access list 118
10 permit ip host 10.51.243.221 any

sh route-map

route-map PBR118, permit, sequence 10
Match clauses:
ip address (access-lists): 118
Set clauses:
ip next-hop 192.168.0.1
Policy routing matches: 0 packets, 0 bytes

sh ip int br | ex una

Interface IP-Address OK? Method Status Protocol
Vlan10 192.168.0.10 YES NVRAM up up
Vlan201 10.53.6.1 YES NVRAM up up
Vlan301 10.52.6.1 YES NVRAM up up
Vlan401 10.51.6.1 YES NVRAM up up
Vlan501 192.168.150.1 YES NVRAM up up

Thanks again

John Blakley · ‎11-05-2014

Were you able to check your sdm template as I suggested in an earlier post? It seems that Aref was able to check his and had to make a change for pbr to work. This may be what your cause is....

HTH, John *** Please rate all useful posts ***

dinocecchini · ‎11-05-2014

Hi John,

sorry but i forgot to tell you that i can't verify because the command "show sdm prefer" is not present. I try to find some alternatives but nothing of similar.

Thanks again

Aref Alsouqi · ‎11-05-2014

This is the ios version that runs on my Switch:

Cisco IOS Software, C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)

Regards,

Aref

John Blakley · ‎11-05-2014

My apologies. I didn't realize Aref is working with a 3550. I don't believe the 4500 series requires that.

I'm going to ask the obvious. Is routing enabled on the switch?

HTH, John *** Please rate all useful posts ***

dinocecchini · ‎11-05-2014

Yes, the routing is enabled.

it's possible a cef problem?

thanks

Aref Alsouqi · ‎11-05-2014

Honestly I need to read more about the difference between the command I applied and the one you mentioned in your erlier post, here what I see on my switch:

Switch#sh sdm prefer
The current template is the default extended-match template.

Regards,

Aref

Aref Alsouqi · ‎11-05-2014

I lab it up, at the beginning it did not work then I enabled some debugs and I noticed this error message "PBR L3TCAM−3−SIZE_CONFLICT: PBR requires enabling extended routing", looking for a reason and a solution, I found that I needed to apply the command "sdm prefer extended-match" in order to make the route map works on my switch (3550), in fact before applying that command, the ip policy route-map was not neither taken under the vlan 501 interface, but once I applied it the ip policy route-map command has been taken. You need to reload you switch after applying "sdm prefer extended-match".

Now in regard to the fact of receiving packets from a differnt network on vlan 501, there is no problem at all, at least from what I have seen in my lab, I simulated a design similar to yours, and the packets comming from the host 10.51.243.1 on interface vlan 501 (192.168.150.0/24) have been matched on the access list 118 and the route map works properly.

I hope this would be helpful.

Regards,

Aref

dinocecchini · ‎11-05-2014

Hi Aref,

Thanks for the support and for the patience.

I appreciate that you try in lab the my case! Now i'm out of office, tomorrow i try to configure as you said me and hope that work.

Thanks again,

Dino

Aref Alsouqi · ‎11-05-2014

You are very welcome Dino, try that when you are able to and let us know if it solves the issue.

Regards,

Aref

dinocecchini · ‎11-05-2014

Hi Aref,

i connect by VPN and i check that the command"sdm prefer extended-match" is not implemented in my switch.

Thanks

paul driver · ‎11-05-2014

Hello

If it localy originating from you network

ip sla 1
type echo protocol ip icmp echo 192.168.0.1
rtr schedule 1 life forever start-time now

track 10 rtr 1 reachability

route-map PBR118 permit 10
match ip address 118
set ip next-hop 192.168.0.1
set ip next-hop verify-availability 192.168.0.1 1track 10

route-map PBR118 permit 99

int vlan 501
ip policy route-map PBR118

int x/x (physical interface)
ip policy route-map PBR118

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dinocecchini · ‎11-05-2014

Hi Paul,

sorry for the late reply.

you say that it should be implemented in physical interface from where I get the traffic?

Thanks,

Dino

Richard Burts · ‎11-06-2014

Dino

Assuming that the physical interface where you receive the traffic is a layer 2 interface you do not need to configure ip policy on it (and I believe that the command would be rejected if you try since ip policy is a layer 3 function which would not operate on a layer 2 interface).

Paul

Using verify-availability is an interesting idea and would help prevent the situation where PBR is attempting to forward but the specified next hop is really not reachable. But I do not think that this fits the current problem which is that PBR is not forwarding the traffic. And I do not understand the purpose of route-map PBR118 permit 99. If the route map were used to help control a dynamic routing protocol (to alter metrics, or to prepend, or something like that) then the entry with no match and no set will allow remaining traffic to be processed without change. But what purpose would it serve in PBR?

HTH

Rick

HTH

Rick

PBR doesn't work